@RISK Newsletter for March 03, 2016

The consensus security vulnerability alert.

Vol. 16, Num. 09

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.

CONTENTS:

TOP VULNERABILITY THIS WEEK: OpenSSL Releases Security Advisory for

Several Vulnerabilities

NOTABLE RECENT SECURITY ISSUES SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP

Title: OpenSSL Releases Security Advisory for Several VulnerabilitiesDescription: The OpenSSL Software Foundation has released a securityadvisory to address several security flaws within the library. The mostsevere vulnerabilities addressed are related to the newly disclosedDROWN vulnerability (CVE-2016-0800) as well as a “Divide-and-conquersession key recovery” attack (CVE-2016-0703). Several other Low toModerate severity flaws were also addressed in the security advisory.Patches for these vulnerabilities have been developed and released.Users and administrators are strongly encouraged to update their systemsas soon as possible.Reference: https://mta.openssl.org/pipermail/openssl-announce/2016-March/000066.htmlhttps://drownattack.com/Snort SID: Detection pending

Title: Drupal Releases Critical Security Advisory for MultipleVulnerabilitiesDescription: Drupal has released a critical security advisory forseveral vulnerabilities in the Drupal Core. The most severe flawspatched could could allow a user to bypass access controls related toform submission or to conduct HTTP header injection attacks through theuse of line breaks on servers with older versions of PHP. Several othervulnerabilities that were rated Less Critical to Moderately Criticalwere also addressed in the security advisory. Drupal has releasedupdated software that addresses these vulnerabilities.Reference: https://www.drupal.org/SA-CORE-2016-001Snort SID: Detection pending release of vulnerability information

RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits areavailable. System administrators can use this list to help inprioritization of their remediation activities. The Qualys VulnerabilityResearch Team compiles this information based on various exploitframeworks, exploit databases, exploit kits and monitoring of internetactivity.